Deep neural network (DNN) models are valuable intellectual property of model owners, constituting a competitive advantage. Therefore, it is crucial to develop techniques to protect against model theft. Model ownership resolution (MOR) is a class of techniques that can deter model theft. A MOR scheme enables an accuser to assert an ownership claim for a suspect model by presenting evidence, such as a watermark or fingerprint, to show that the suspect model was stolen or derived from a source model owned by the accuser. Most of the existing MOR schemes prioritize robustness against malicious suspects, ensuring that the accuser will win if the suspect model is indeed a stolen model. In this paper, we show that common MOR schemes in the literature are vulnerable to a different, equally important but insufficiently explored, robustness concern: a malicious accuser. We show how malicious accusers can successfully make false claims against independent suspect models that were not stolen. Our core idea is that a malicious accuser can deviate (without detection) from the specified MOR process by finding (transferable) adversarial examples that successfully serve as evidence against independent suspect models. To this end, we first generalize the procedures of common MOR schemes and show that, under this generalization, defending against false claims is as challenging as preventing (transferable) adversarial examples. Via systematic empirical evaluation we demonstrate that our false claim attacks always succeed in all prominent MOR schemes with realistic configurations, including against a real-world model: Amazon's Rekognition API.

翻译：深度神经网络模型是模型所有者宝贵的知识产权，构成了其竞争优势。因此，开发模型保护技术以防止模型盗窃至关重要。模型所有权解析是一类能够威慑模型盗窃的技术。MOR方案使指控者能够通过呈现证据（如水印或指纹）来主张对嫌疑模型的所有权，以证明该嫌疑模型是从指控者拥有的源模型窃取或衍生而来。现有的大多数MOR方案优先考虑针对恶意嫌疑人的鲁棒性，确保当嫌疑模型确实为被窃模型时指控者胜诉。本文表明，文献中常见的MOR方案存在另一个不同但同等重要且尚未充分探讨的鲁棒性问题：恶意指控者。我们展示了恶意指控者如何能够成功地对未被窃取的独立嫌疑模型提出虚假声称。我们的核心思想是，恶意指控者可以通过寻找能作为针对独立嫌疑模型证据的（可迁移）对抗性样本，从而（在不被察觉的情况下）偏离指定的MOR流程。为此，我们首先归纳了常见MOR方案的流程，并表明在这种归纳下，防御虚假声称与防止（可迁移）对抗性样本同样具有挑战性。通过系统性实证评估，我们证明所有主流MOR方案在现实配置下（包括针对真实世界模型：亚马逊的Rekognition API）均能成功实施我们的虚假声称攻击。